The GDPR: Why your organisation needs to conduct DPIAs

DPIAs (data protection impact assessments) help organisations identify, assess and mitigate privacy risks to data processing activities. They are particularly important when introducing new data processes, systems and technologies.

They are also essential for demonstrating compliance with the GDPR (General Data Protection Regulation).


When are DPIAs necessary?

Article 35 of the GDPR states that a DPIA is required if personal data processing is likely to result in a high risk to the rights and freedoms of data subjects. This includes:

  • Automated decision-making (including profiling) that could significantly affect data subjects;
  • Large-scale processing of special categories of data (relating to race or ethnicity, political opinions, health, etc.); and
  • Systematic large-scale monitoring of public areas.

Data controllers are primarily responsible for conducting DPIAs, but Article 28,3(f) adds that data processors must assist in this process.


Simplify your DPIA requirements

Data Protection Impact Assessment ToolThe GDPR doesn’t outline how exactly organisations should conduct DPIAs. The intention is to avoid being overly prescriptive, but the reality is that many organisations have been left doubting themselves. This is where our DPIA Tool will help.

The tool walks you through the six steps you must complete as part of a GDPR-compliant DPIA.

  1. Process description, containing a questionnaire that prompts users for information about the process in question.
  2. Screening questions that help users work out whether they need to conduct a DPIA.
  3. Consultation questionnaire that prompts users for information about parties they’ve consulted (such as data subjects or their representatives).
  4. Principles questionnaire that prompts users to provide information about the necessity and proportionality of processing.
  5. Privacy risk assessment that gives users the means to identify individual risks to the rights and freedoms of data subjects, including evaluating levels of risks and determining risk responses.
  6. A review, containing a brief questionnaire asking users whether all the relevant tasks have been completed and whether the process is authorised to go ahead.

With the DPIA Tool, you don’t have to be a data protection expert; you just need to follow our advice.